metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Neha Sinha (JIRA)" <j...@apache.org>
Subject [jira] [Created] (METRON-402) Snort timestamp field shows up wrong value
Date Fri, 02 Sep 2016 04:14:20 GMT
Neha Sinha created METRON-402:
---------------------------------

             Summary: Snort timestamp field shows up wrong value
                 Key: METRON-402
                 URL: https://issues.apache.org/jira/browse/METRON-402
             Project: Metron
          Issue Type: Bug
    Affects Versions: 0.2.2BETA
            Reporter: Neha Sinha


Hi,
i injected the following snort log:-

07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,

I expected timestamp field in indexed json to be epoch equivalent of what is given in the
log.However the indexed snort json represents the current date and time.
========================================================
{
* 		"_index": "snort_index_2016.09.01.09",
* 		"_type": "snort_doc",
* 		"_id": "AVblCLtfZ5WQUn7o8i6U",
* 		"_version": 1,
* 		"_score": 1,
* 		"_timestamp": 1469688800676,
* 		"_source": {
    * 		"msg": ""'snort test alert'"",
    * 		"enrichments:geo:ip_dst_addr:locID": "794448",
    * 		"enrichments:geo:ip_dst_addr:location_point": "48.5839,7.7455",
    * 		"sig_rev": "0",
    * 		"ip_dst_port": "80",
    * 		"threatinteljoinbolt:joiner:ts": "1472721369718",
    * 		"ethsrc": "00:00:00:00:00:00",
    * 		"tcpseq": "0xF017C4DA",
    * 		"dgmlen": "40",
    * 		"enrichmentsplitterbolt:splitter:begin:ts": "1472721369701",
    * 		"enrichmentjoinbolt:joiner:ts": "1472721369707",
    * 		"adapter:geoadapter:begin:ts": "1472721369702",
    * 		"tcpwindow": "0xF6C9",
    * 		"enrichments:geo:ip_dst_addr:latitude": "48.5839",
    * 		"tcpack": "0xABDB8426",
    * 		"protocol": "TCP",
    * 		"source:type": "snort",
    * 		"adapter:threatinteladapter:end:ts": "1472721369718",
    * 		"ip_dst_addr": "62.75.195.236",
    * 		"original_string": "07/28-06:37:58.922676 ,1,999158,0,"'snort test alert'",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,",
    * 		"adapter:hostfromjsonlistadapter:end:ts": "1472721369702",
    * 		"tos": "0",
    * 		"adapter:geoadapter:end:ts": "1472721369707",
    * 		"id": "2319",
    * 		"ip_src_addr": "192.168.138.158",
    * 		"threatintelsplitterbolt:splitter:end:ts": "1472721369707",
    * 		"enrichments:geo:ip_dst_addr:longitude": "7.7455",
    * 		"timestamp": 1469688800676,
    * 		"ethdst": "00:00:00:00:00:00",
    * 		"enrichmentsplitterbolt:splitter:end:ts": "1472721369701",
    * 		"enrichments:geo:ip_dst_addr:city": "Strassbourg",
    * 		"enrichments:geo:ip_dst_addr:postalCode": "67100",
    * 		"is_alert": "true",
    * 		"adapter:hostfromjsonlistadapter:begin:ts": "1472721369702",
    * 		"ttl": "128",
    * 		"ethlen": "0x3C",
    * 		"iplen": "40960",
    * 		"ip_src_port": "49188",
    * 		"threat:triage:level": 10,
    * 		"threatintelsplitterbolt:splitter:begin:ts": "1472721369707",
    * 		"adapter:threatinteladapter:begin:ts": "1472721369708",
    * 		"tcpflags": "***A****",
    * 		"enrichments:geo:ip_dst_addr:country": "FR",
    * 		"sig_id": "999158",
    * 		"sig_generator": "1"
* 		}
}
========================================================

Inorder to investigate this case I went through the following https://github.com/hortonworks/metron/blob/apache-ref/master/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/snort/BasicSnortParser.java
and found the following "TODO" note in the "toEpoch" function :-

========================================================
private long toEpoch(String snortDatetime) throws ParseException {
		
		/*
		 * TODO how does Snort not embed the year in their default timestamp?! need to change this
in 
		 * Snort configuration.  for now, just assume current year.
		 */
    int year = Calendar.getInstance().get(Calendar.YEAR);
    String withYear = Integer.toString(year) + " " + snortDatetime;

    // convert to epoch time
    SimpleDateFormat df = new SimpleDateFormat("yyyy MM/dd-HH:mm:ss.S");
    Date date = df.parse(withYear);
    return date.getTime();
  }
========================================================

As per the above "TODO" note the year would match to the current year but rest of the time
fields should match to what is in the original snort log.
However this is not the case.

Also Do we have any jira to track the "todo" part?We should be having one as an enhancement
atleast.

Regards,
neha




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message